<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Architecture :: Spring Security</title>
<link rel="canonical" href="../../servlet/architecture.html">
<link rel="prev" href="getting-started.html">
<link rel="next" href="authentication/index.html">
<meta name="generator" content="Antora 3.0.0">
<link rel="stylesheet" href="../../_/css/site.css">
<link href="../../_/img/favicon.ico" rel='shortcut icon' type='image/vnd.microsoft.icon'>
<link rel="stylesheet" href="../../_/css/vendor/docsearch.min.css">

<script>var uiRootPath = '../../_'</script>
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<a class="navbar-item" href="https://spring.io">
<img id="springlogo" class="block" src="../../_/img/spring-logo.svg" alt="Spring">
</a>
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Why Spring</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/why-spring">Overview</a>
<a class="navbar-item" href="https://spring.io/microservices">Microservices</a>
<a class="navbar-item" href="https://spring.io/reactive">Reactive</a>
<a class="navbar-item" href="https://spring.io/event-driven">Event Driven</a>
<a class="navbar-item" href="https://spring.io/cloud">Cloud</a>
<a class="navbar-item" href="https://spring.io/web-applications">Web Applications</a>
<a class="navbar-item" href="https://spring.io/serverless">Serverless</a>
<a class="navbar-item" href="https://spring.io/batch">Batch</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Learn</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/learn">Overview</a>
<a class="navbar-item" href="https://spring.io/quickstart">Quickstart</a>
<a class="navbar-item" href="https://spring.io/guides">Guides</a>
<a class="navbar-item" href="https://spring.io/blog">Blog</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Projects</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/projects">Overview</a>
<a class="navbar-item" href="https://spring.io/projects/spring-boot">Spring Boot</a>
<a class="navbar-item" href="https://spring.io/projects/spring-framework">Spring Framework</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud">Spring Cloud</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud-dataflow">Spring Cloud Data Flow</a>
<a class="navbar-item" href="https://spring.io/projects/spring-data">Spring Data</a>
<a class="navbar-item" href="https://spring.io/projects/spring-integration">Spring Integration</a>
<a class="navbar-item" href="https://spring.io/projects/spring-batch">Spring Batch</a>
<a class="navbar-item" href="https://spring.io/projects/spring-security">Spring Security</a>
<a class="navbar-item navbar-item-special" href="https://spring.io/projects">View all projects</a>
<a class="navbar-item" href="https://spring.io/tools">Spring Tools 4</a>
<a class="navbar-item navbar-item-special-2" href="https://start.spring.io">Spring Initializr <svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><polyline points="15 10.94 15 15 1 15 1 1 5.06 1" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><polyline points="8.93 1 15 1 15 7.07" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><line x1="15" y1="1" x2="8" y2="8" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></line></svg></a>
</div>
</div>
<a class="navbar-item" href="https://spring.io/training">Training</a>
<a class="navbar-item" href="https://spring.io/support">Support</a>
<div class="navbar-item has-dropdown is-hoverable is-community">
<a class="navbar-link" href="architecture.html#">Community</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/community">Overview</a>
<a class="navbar-item" href="https://spring.io/events">Events</a>
<a class="navbar-item" href="https://spring.io/team">Team</a>
</div>
</div>
</div>
</div>
<div id="switch-theme">
<input type="checkbox" id="switch-theme-checkbox" />
<label for="switch-theme-checkbox">Dark Theme</label>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="ROOT" data-version="5.6.1">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../index.html">Spring Security</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../index.html">Overview</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../prerequisites.html">Prerequisites</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../community.html">Community</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../whats-new.html">What&#8217;s New</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../getting-spring-security.html">Getting Spring Security</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../features/index.html">Features</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../features/authentication/index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/authentication/password-storage.html">Password Storage</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../features/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/exploits/headers.html">HTTP Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../features/integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/integrations/cryptography.html">Cryptography</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/integrations/concurrency.html">Java&#8217;s Concurrency APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../features/integrations/localization.html">Localization</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../modules.html">Project Modules</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../samples.html">Samples</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="index.html">Servlet Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="getting-started.html">Getting Started</a>
</li>
<li class="nav-item is-current-page" data-depth="2">
<a class="nav-link" href="architecture.html">Architecture</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="authentication/index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/architecture.html">Authentication Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="authentication/passwords/index.html">Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="authentication/passwords/input.html">Reading Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/form.html">Form</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/basic.html">Basic</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/digest.html">Digest</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="authentication/passwords/storage.html">Password Storage</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/in-memory.html">In Memory</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/jdbc.html">JDBC</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/user-details.html">UserDetails</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/user-details-service.html">UserDetailsService</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/password-encoder.html">PasswordEncoder</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/dao-authentication-provider.html">DaoAuthenticationProvider</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="authentication/passwords/ldap.html">LDAP</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/session-management.html">Session Management</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/rememberme.html">Remember Me</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/openid.html">OpenID</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/anonymous.html">Anonymous</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/preauth.html">Pre-Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/jaas.html">JAAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/cas.html">CAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/x509.html">X509</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/runas.html">Run-As</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/logout.html">Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authentication/events.html">Authentication Events</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="authorization/index.html">Authorization</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/architecture.html">Authorization Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/authorize-http-requests.html">Authorize HTTP Requests</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/authorize-requests.html">Authorize HTTP Requests with FilterSecurityInterceptor</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/expression-based.html">Expression-Based Access Control</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/secure-objects.html">Secure Object Implementations</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="authorization/acls.html">Domain Object Security ACLs</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="saml2/index.html">SAML2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="saml2/login/index.html">SAML2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="saml2/login/overview.html">SAML2 Log In Overview</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="saml2/login/authentication-requests.html">SAML2 Authentication Requests</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="saml2/login/authentication.html">SAML2 Authentication Responses</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="saml2/logout.html">SAML2 Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="saml2/metadata.html">SAML2 Metadata</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="exploits/csrf.html">Cross Site Request Forgery (CSRF) for Servlet Environments</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="exploits/headers.html">Security HTTP Response Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="exploits/http.html">HTTP</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="exploits/firewall.html">HttpFirewall</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/concurrency.html">Concurrency</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/localization.html">Localization</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/servlet-api.html">Servlet APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/mvc.html">Spring MVC</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/websocket.html">WebSocket</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/cors.html">Spring&#8217;s CORS Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="integrations/jsp-taglibs.html">JSP Taglib</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Configuration</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="configuration/java.html">Java Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="configuration/kotlin.html">Kotlin Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="configuration/xml-namespace.html">Namespace Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/method.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/mockmvc/index.html">MockMvc Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/mockmvc/setup.html">MockMvc Setup</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="test/mockmvc/request-post-processors.html">Security RequestPostProcessors</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/authentication.html">Mocking Users</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/csrf.html">Mocking CSRF</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/form-login.html">Mocking Form Login</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/http-basic.html">Mocking HTTP Basic</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/oauth2.html">Mocking OAuth2</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="test/mockmvc/logout.html">Mocking Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/mockmvc/request-builders.html">Security RequestBuilders</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/mockmvc/result-matchers.html">Security ResultMatchers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="test/mockmvc/result-handlers.html">Security ResultHandlers</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="appendix/index.html">Appendix</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="appendix/database-schema.html">Database Schemas</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="appendix/namespace/index.html">XML Namespace</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="appendix/namespace/authentication-manager.html">Authentication Services</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="appendix/namespace/http.html">Web Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="appendix/namespace/method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="4">
 <a class="nav-link" href="appendix/namespace/ldap.html">LDAP Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="appendix/namespace/websocket.html">WebSocket Security</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="appendix/faq.html">FAQ</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/index.html">Reactive Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../reactive/getting-started.html">Getting Started</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authentication</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/authentication/x509.html">X.509 Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/authentication/logout.html">Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authorization</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/authorization/method.html">EnableReactiveMethodSecurity</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/exploits/headers.html">Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Integrations</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/integrations/cors.html">CORS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/integrations/rsocket.html">RSocket</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../reactive/test/method.html">Testing Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../reactive/test/web/index.html">Testing Web Security</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/test/web/setup.html">WebTestClient Setup</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/test/web/authentication.html">Testing Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/test/web/csrf.html">Testing CSRF</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../reactive/test/web/oauth2.html">Testing OAuth 2.0</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../reactive/configuration/webflux.html">WebFlux Security</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Spring Security</span>
<span class="version">5.6.1</span>
</div>
<ul class="components">
<li class="component is-current">
<a class="title" href="../../index.html">Spring Security</a>
<ul class="versions">
<li class="version">
<a href="../../6.0/index.html">6.0.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../6.0.0-M3/index.html">6.0.0-M3</a>
</li>
<li class="version">
<a href="../../6.0.0-M2/index.html">6.0.0-M2</a>
</li>
<li class="version">
<a href="../../6.0.0-M1/index.html">6.0.0-M1</a>
</li>
<li class="version">
<a href="../../5.7/index.html">5.7.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../5.7.0-RC1/index.html">5.7.0-RC1</a>
</li>
<li class="version">
<a href="../../5.7.0-M3/index.html">5.7.0-M3</a>
</li>
<li class="version">
<a href="../../5.7.0-M2/index.html">5.7.0-M2</a>
</li>
<li class="version">
<a href="../../5.7.0-M1/index.html">5.7.0-M1</a>
</li>
<li class="version">
<a href="../../5.6.4/index.html">5.6.4-SNAPSHOT</a>
</li>
<li class="version is-latest">
<a href="../../index.html">5.6.3</a>
</li>
<li class="version">
<a href="../../5.6.2/index.html">5.6.2</a>
</li>
<li class="version is-current">
<a href="../index.html">5.6.1</a>
</li>
<li class="version">
<a href="../../5.6.0/index.html">5.6.0</a>
</li>
<li class="version">
<a href="../../5.6.0-RC1/index.html">5.6.0-RC1</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../index.html">Spring Security</a></li>
<li><a href="index.html">Servlet Applications</a></li>
<li><a href="architecture.html">Architecture</a></li>
</ul>
</nav>
<div class="search">
<input id="search-input" type="text" placeholder="Search docs">
</div>
<div class="page-versions">
<button class="version-menu-toggle" title="Show other versions of page">5.6.1</button>
<div class="version-menu">
<a class="version" href="../../6.0/servlet/architecture.html">6.0.0-SNAPSHOT</a>
<a class="version" href="../../6.0.0-M3/servlet/architecture.html">6.0.0-M3</a>
<a class="version" href="../../6.0.0-M2/servlet/architecture.html">6.0.0-M2</a>
<a class="version" href="../../6.0.0-M1/servlet/architecture.html">6.0.0-M1</a>
<a class="version" href="../../5.7/servlet/architecture.html">5.7.0-SNAPSHOT</a>
<a class="version" href="../../5.7.0-RC1/servlet/architecture.html">5.7.0-RC1</a>
<a class="version" href="../../5.7.0-M3/servlet/architecture.html">5.7.0-M3</a>
<a class="version" href="../../5.7.0-M2/servlet/architecture.html">5.7.0-M2</a>
<a class="version" href="../../5.7.0-M1/servlet/architecture.html">5.7.0-M1</a>
<a class="version" href="../../5.6.4/servlet/architecture.html">5.6.4-SNAPSHOT</a>
<a class="version" href="../../servlet/architecture.html">5.6.3</a>
<a class="version" href="../../5.6.2/servlet/architecture.html">5.6.2</a>
<a class="version is-current" href="architecture.html">5.6.1</a>
<a class="version" href="../../5.6.0/servlet/architecture.html">5.6.0</a>
<a class="version" href="../../5.6.0-RC1/servlet/architecture.html">5.6.0-RC1</a>
</div>
</div>
<div class="edit-this-page"><a href="https://github.com/spring-projects/spring-security/blob/5.6.1/docs/modules/ROOT/pages/servlet/architecture.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<div class="admonitionblock important">
<table>
<tbody><tr>
<td class="icon">
<i class="fa icon-important" title="Important"></i>
</td>
<td class="content">
<div class="paragraph">
<p> For the latest stable version, please use <a href="../../servlet/architecture.html">Spring Security 5.6.3</a>!</p>
</div>
</td>
</tr></tbody>
</table>
</div>
<h1 id="page-title" class="page">Architecture</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This section discusses Spring Security&#8217;s high level architecture within Servlet based applications.
We build on this high level understanding within <a href="authentication/index.html#servlet-authentication" class="xref page">Authentication</a>, <a href="authorization/index.html#servlet-authorization" class="xref page">Authorization</a>, <a href="exploits/index.html#servlet-exploits" class="xref page">Protection Against Exploits</a> sections of the reference.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-filters-review"><a class="anchor" href="architecture.html#servlet-filters-review"></a>A Review of <code>Filter</code>s</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Spring Security&#8217;s Servlet support is based on Servlet <code>Filter</code>s, so it is helpful to look at the role of <code>Filter</code>s generally first.
The picture below shows the typical layering of the handlers for a single HTTP request.</p>
</div>
<div id="servlet-filterchain-figure" class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/filterchain.png" alt="filterchain">
</div>
<div class="title">Figure 1. FilterChain</div>
</div>
<div class="paragraph">
<p>The client sends a request to the application, and the container creates a <code>FilterChain</code> which contains the <code>Filter</code>s and <code>Servlet</code> that should process the <code>HttpServletRequest</code> based on the path of the request URI.
In a Spring MVC application the <code>Servlet</code> is an instance of <a href="https://docs.spring.io/spring-framework/docs/5.3.14/reference/html/web.html#mvc-servlet"><code>DispatcherServlet</code></a>.
At most one <code>Servlet</code> can handle a single <code>HttpServletRequest</code> and <code>HttpServletResponse</code>.
However, more than one <code>Filter</code> can be used to:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Prevent downstream <code>Filter</code>s or the <code>Servlet</code> from being invoked.
In this instance the <code>Filter</code> will typically write the <code>HttpServletResponse</code>.</p>
</li>
<li>
<p>Modify the <code>HttpServletRequest</code> or <code>HttpServletResponse</code> used by the downstream <code>Filter</code>s and <code>Servlet</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The power of the <code>Filter</code> comes from the <code>FilterChain</code> that is passed into it.</p>
</div>
<div class="exampleblock">
<div class="title">Example 1. <code>FilterChain</code> Usage Example</div>
<div class="content">
<div class="listingblock primary">
<div class="title">Java</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-java hljs" data-lang="java">public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
	// do something before the rest of the application
    chain.doFilter(request, response); // invoke the rest of the application
    // do something after the rest of the application
}</code></pre>
</div>
</div>
<div class="listingblock secondary">
<div class="title">Kotlin</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-kotlin hljs" data-lang="kotlin">fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
    // do something before the rest of the application
    chain.doFilter(request, response) // invoke the rest of the application
    // do something after the rest of the application
}</code></pre>
</div>
</div>
</div>
</div>
<div class="paragraph">
<p>Since a <code>Filter</code> only impacts downstream <code>Filter</code>s and the <code>Servlet</code>, the order each <code>Filter</code> is invoked is extremely important.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-delegatingfilterproxy"><a class="anchor" href="architecture.html#servlet-delegatingfilterproxy"></a>DelegatingFilterProxy</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Spring provides a <code>Filter</code> implementation named <a href="https://docs.spring.io/spring-framework/docs/5.3.14/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html"><code>DelegatingFilterProxy</code></a> that allows bridging between the Servlet container&#8217;s lifecycle and Spring&#8217;s <code>ApplicationContext</code>.
The Servlet container allows registering <code>Filter</code>s using its own standards, but it is not aware of Spring defined Beans.
<code>DelegatingFilterProxy</code> can be registered via standard Servlet container mechanisms, but delegate all the work to a Spring Bean that implements <code>Filter</code>.</p>
</div>
<div class="paragraph">
<p>Here is a picture of how <code>DelegatingFilterProxy</code> fits into the <a href="architecture.html#servlet-filters-review"><code>Filter</code>s and the <code>FilterChain</code></a>.</p>
</div>
<div id="servlet-delegatingfilterproxy-figure" class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/delegatingfilterproxy.png" alt="delegatingfilterproxy">
</div>
<div class="title">Figure 2. DelegatingFilterProxy</div>
</div>
<div class="paragraph">
<p><code>DelegatingFilterProxy</code> looks up <em>Bean Filter<sub>0</sub></em> from the <code>ApplicationContext</code> and then invokes <em>Bean Filter<sub>0</sub></em>.
The pseudo code of <code>DelegatingFilterProxy</code> can be seen below.</p>
</div>
<div class="exampleblock">
<div class="title">Example 2. <code>DelegatingFilterProxy</code> Pseudo Code</div>
<div class="content">
<div class="listingblock primary">
<div class="title">Java</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-java hljs" data-lang="java">public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
	// Lazily get Filter that was registered as a Spring Bean
	// For the example in <a href="architecture.html#servlet-delegatingfilterproxy-figure">DelegatingFilterProxy</a> <code>delegate</code> is an instance of <em>Bean Filter<sub>0</sub></em>
	Filter delegate = getFilterBean(someBeanName);
	// delegate work to the Spring Bean
	delegate.doFilter(request, response);
}</code></pre>
</div>
</div>
<div class="listingblock secondary">
<div class="title">Kotlin</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-kotlin hljs" data-lang="kotlin">fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
	// Lazily get Filter that was registered as a Spring Bean
	// For the example in <a href="architecture.html#servlet-delegatingfilterproxy-figure">DelegatingFilterProxy</a> <code>delegate</code> is an instance of <em>Bean Filter<sub>0</sub></em>
	val delegate: Filter = getFilterBean(someBeanName)
	// delegate work to the Spring Bean
	delegate.doFilter(request, response)
}</code></pre>
</div>
</div>
</div>
</div>
<div class="paragraph">
<p>Another benefit of <code>DelegatingFilterProxy</code> is that it allows delaying looking <code>Filter</code> bean instances.
This is important because the container needs to register the <code>Filter</code> instances before the container can startup.
However, Spring typically uses a <code>ContextLoaderListener</code> to load the Spring Beans which will not be done until after the <code>Filter</code> instances need to be registered.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-filterchainproxy"><a class="anchor" href="architecture.html#servlet-filterchainproxy"></a>FilterChainProxy</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Spring Security&#8217;s Servlet support is contained within <code>FilterChainProxy</code>.
<code>FilterChainProxy</code> is a special <code>Filter</code> provided by Spring Security that allows delegating to many <code>Filter</code> instances through <a href="architecture.html#servlet-securityfilterchain"><code>SecurityFilterChain</code></a>.
Since <code>FilterChainProxy</code> is a Bean, it is typically wrapped in a <a href="architecture.html#servlet-delegatingfilterproxy">DelegatingFilterProxy</a>.</p>
</div>
<div id="servlet-filterchainproxy-figure" class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/filterchainproxy.png" alt="filterchainproxy">
</div>
<div class="title">Figure 3. FilterChainProxy</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-securityfilterchain"><a class="anchor" href="architecture.html#servlet-securityfilterchain"></a>SecurityFilterChain</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/SecurityFilterChain.html"><code>SecurityFilterChain</code></a> is used by <a href="architecture.html#servlet-filterchainproxy">FilterChainProxy</a> to determine which Spring Security <code>Filter</code>s should be invoked for this request.</p>
</div>
<div id="servlet-securityfilterchain-figure" class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/securityfilterchain.png" alt="securityfilterchain">
</div>
<div class="title">Figure 4. SecurityFilterChain</div>
</div>
<div class="paragraph">
<p>The <a href="architecture.html#servlet-security-filters">Security Filters</a> in <code>SecurityFilterChain</code> are typically Beans, but they are registered with <code>FilterChainProxy</code> instead of <a href="architecture.html#servlet-delegatingfilterproxy">DelegatingFilterProxy</a>.
<code>FilterChainProxy</code> provides a number of advantages to registering directly with the Servlet container or <a href="architecture.html#servlet-delegatingfilterproxy">DelegatingFilterProxy</a>.
First, it provides a starting point for all of Spring Security&#8217;s Servlet support.
For that reason, if you are attempting to troubleshoot Spring Security&#8217;s Servlet support, adding a debug point in <code>FilterChainProxy</code> is a great place to start.</p>
</div>
<div class="paragraph">
<p>Second, since <code>FilterChainProxy</code> is central to Spring Security usage it can perform tasks that are not viewed as optional.
For example, it clears out the <code>SecurityContext</code> to avoid memory leaks.
It also applies Spring Security&#8217;s <a href="exploits/firewall.html#servlet-httpfirewall" class="xref page"><code>HttpFirewall</code></a> to protect applications against certain types of attacks.</p>
</div>
<div class="paragraph">
<p>In addition, it provides more flexibility in determining when a <code>SecurityFilterChain</code> should be invoked.
In a Servlet container, <code>Filter</code>s are invoked based upon the URL alone.
However, <code>FilterChainProxy</code> can determine invocation based upon anything in the <code>HttpServletRequest</code> by leveraging the <code>RequestMatcher</code> interface.</p>
</div>
<div class="paragraph">
<p>In fact, <code>FilterChainProxy</code> can be used to determine which <code>SecurityFilterChain</code> should be used.
This allows providing a totally separate configuration for different <em>slices</em> of your application.</p>
</div>
<div id="servlet-multi-securityfilterchain-figure" class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/multi-securityfilterchain.png" alt="multi securityfilterchain">
</div>
<div class="title">Figure 5. Multiple SecurityFilterChain</div>
</div>
<div class="paragraph">
<p>In the <a href="architecture.html#servlet-multi-securityfilterchain-figure">Multiple SecurityFilterChain</a> Figure <code>FilterChainProxy</code> decides which <code>SecurityFilterChain</code> should be used.
Only the first <code>SecurityFilterChain</code> that matches will be invoked.
If a URL of <code>/api/messages/</code> is requested, it will first match on <code>SecurityFilterChain<sub>0</sub></code>'s pattern of <code>/api/**</code>, so only <code>SecurityFilterChain<sub>0</sub></code> will be invoked even though it also matches on <code>SecurityFilterChain<sub>n</sub></code>.
If a URL of <code>/messages/</code> is requested, it will not match on <code>SecurityFilterChain<sub>0</sub></code>'s pattern of <code>/api/**</code>, so <code>FilterChainProxy</code> will continue trying each <code>SecurityFilterChain</code>.
Assuming that no other, <code>SecurityFilterChain</code> instances match <code>SecurityFilterChain<sub>n</sub></code> will be invoked.</p>
</div>
<div class="paragraph">
<p>Notice that <code>SecurityFilterChain<sub>0</sub></code> has only three security <code>Filter</code>s instances configured.
However, <code>SecurityFilterChain<sub>n</sub></code> has four security <code>Filter</code>s configured.
It is important to note that each <code>SecurityFilterChain</code> can be unique and configured in isolation.
In fact, a <code>SecurityFilterChain</code> might have zero security <code>Filter</code>s if the application wants Spring Security to ignore certain requests.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-security-filters"><a class="anchor" href="architecture.html#servlet-security-filters"></a>Security Filters</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Security Filters are inserted into the <a href="architecture.html#servlet-filterchainproxy">FilterChainProxy</a> with the <a href="architecture.html#servlet-securityfilterchain">SecurityFilterChain</a> API.
The <a href="architecture.html#servlet-filters-review">order of <code>Filter</code></a>s matters.
It is typically not necessary to know the ordering of Spring Security&#8217;s <code>Filter</code>s.
However, there are times that it is beneficial to know the ordering</p>
</div>
<div class="paragraph">
<p>Below is a comprehensive list of Spring Security Filter ordering:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>ChannelProcessingFilter</p>
</li>
<li>
<p>WebAsyncManagerIntegrationFilter</p>
</li>
<li>
<p>SecurityContextPersistenceFilter</p>
</li>
<li>
<p>HeaderWriterFilter</p>
</li>
<li>
<p>CorsFilter</p>
</li>
<li>
<p>CsrfFilter</p>
</li>
<li>
<p>LogoutFilter</p>
</li>
<li>
<p>OAuth2AuthorizationRequestRedirectFilter</p>
</li>
<li>
<p>Saml2WebSsoAuthenticationRequestFilter</p>
</li>
<li>
<p>X509AuthenticationFilter</p>
</li>
<li>
<p>AbstractPreAuthenticatedProcessingFilter</p>
</li>
<li>
<p>CasAuthenticationFilter</p>
</li>
<li>
<p>OAuth2LoginAuthenticationFilter</p>
</li>
<li>
<p>Saml2WebSsoAuthenticationFilter</p>
</li>
<li>
<p><a href="authentication/passwords/form.html#servlet-authentication-usernamepasswordauthenticationfilter" class="xref page"><code>UsernamePasswordAuthenticationFilter</code></a></p>
</li>
<li>
<p>OpenIDAuthenticationFilter</p>
</li>
<li>
<p>DefaultLoginPageGeneratingFilter</p>
</li>
<li>
<p>DefaultLogoutPageGeneratingFilter</p>
</li>
<li>
<p>ConcurrentSessionFilter</p>
</li>
<li>
<p><a href="authentication/passwords/digest.html#servlet-authentication-digest" class="xref page"><code>DigestAuthenticationFilter</code></a></p>
</li>
<li>
<p>BearerTokenAuthenticationFilter</p>
</li>
<li>
<p><a href="authentication/passwords/basic.html#servlet-authentication-basic" class="xref page"><code>BasicAuthenticationFilter</code></a></p>
</li>
<li>
<p>RequestCacheAwareFilter</p>
</li>
<li>
<p>SecurityContextHolderAwareRequestFilter</p>
</li>
<li>
<p>JaasApiIntegrationFilter</p>
</li>
<li>
<p>RememberMeAuthenticationFilter</p>
</li>
<li>
<p>AnonymousAuthenticationFilter</p>
</li>
<li>
<p>OAuth2AuthorizationCodeGrantFilter</p>
</li>
<li>
<p>SessionManagementFilter</p>
</li>
<li>
<p><a href="architecture.html#servlet-exceptiontranslationfilter"><code>ExceptionTranslationFilter</code></a></p>
</li>
<li>
<p><a href="authorization/authorize-requests.html#servlet-authorization-filtersecurityinterceptor" class="xref page"><code>FilterSecurityInterceptor</code></a></p>
</li>
<li>
<p>SwitchUserFilter</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-exceptiontranslationfilter"><a class="anchor" href="architecture.html#servlet-exceptiontranslationfilter"></a>Handling Security Exceptions</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/access/ExceptionTranslationFilter.html"><code>ExceptionTranslationFilter</code></a> allows translation of <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/access/AccessDeniedException.html"><code>AccessDeniedException</code></a> and <a href="https://docs.spring.io/spring-security/site/docs/current/api//org/springframework/security/core/AuthenticationException.html"><code>AuthenticationException</code></a> into HTTP responses.</p>
</div>
<div class="paragraph">
<p><code>ExceptionTranslationFilter</code> is inserted into the <a href="architecture.html#servlet-filterchainproxy">FilterChainProxy</a> as one of the <a href="architecture.html#servlet-security-filters">Security Filters</a>.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../_images/servlet/architecture/exceptiontranslationfilter.png" alt="exceptiontranslationfilter">
</div>
</div>
<div class="ulist">
<ul>
<li>
<p><span class="image"><img src="../_images/icons/number_1.png" alt="number 1"></span> First, the <code>ExceptionTranslationFilter</code> invokes <code>FilterChain.doFilter(request, response)</code> to invoke the rest of the application.</p>
</li>
<li>
<p><span class="image"><img src="../_images/icons/number_2.png" alt="number 2"></span> If the user is not authenticated or it is an <code>AuthenticationException</code>, then <em>Start Authentication</em>.</p>
<div class="ulist">
<ul>
<li>
<p>The <a href="authentication/architecture.html#servlet-authentication-securitycontextholder" class="xref page">SecurityContextHolder</a> is cleared out</p>
</li>
<li>
<p>The <code>HttpServletRequest</code> is saved in the <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/savedrequest/RequestCache.html"><code>RequestCache</code></a>.
When the user successfully authenticates, the <code>RequestCache</code> is used to replay the original request.</p>
</li>
<li>
<p>The <code>AuthenticationEntryPoint</code> is used to request credentials from the client.
For example, it might redirect to a log in page or send a <code>WWW-Authenticate</code> header.</p>
</li>
</ul>
</div>
</li>
<li>
<p><span class="image"><img src="../_images/icons/number_3.png" alt="number 3"></span> Otherwise if it is an <code>AccessDeniedException</code>, then <em>Access Denied</em>.
The <code>AccessDeniedHandler</code> is invoked to handle access denied.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>If the application does not throw an <code>AccessDeniedException</code> or an <code>AuthenticationException</code>, then <code>ExceptionTranslationFilter</code> does not do anything.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The pseudocode for <code>ExceptionTranslationFilter</code> looks something like this:</p>
</div>
<div class="listingblock">
<div class="title">ExceptionTranslationFilter pseudocode</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-java hljs" data-lang="java">try {
	filterChain.doFilter(request, response); <i class="conum" data-value="1"></i><b>(1)</b>
} catch (AccessDeniedException | AuthenticationException ex) {
	if (!authenticated || ex instanceof AuthenticationException) {
		startAuthentication(); <i class="conum" data-value="2"></i><b>(2)</b>
	} else {
		accessDenied(); <i class="conum" data-value="3"></i><b>(3)</b>
	}
}</code></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>You will recall from <a href="architecture.html#servlet-filters-review">A Review of <code>Filter</code>s</a> that invoking <code>FilterChain.doFilter(request, response)</code> is the equivalent of invoking the rest of the application.
This means that if another part of the application, (i.e. <a href="authorization/authorize-requests.html#servlet-authorization-filtersecurityinterceptor" class="xref page"><code>FilterSecurityInterceptor</code></a> or method security) throws an <code>AuthenticationException</code> or <code>AccessDeniedException</code> it will be caught and handled here.</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>If the user is not authenticated or it is an <code>AuthenticationException</code>, then <em>Start Authentication</em>.</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>Otherwise, <em>Access Denied</em></td>
</tr>
</table>
</div>
</div>
</div>
<nav class="pagination">
<span class="prev"><a href="getting-started.html">Getting Started</a></span>
<span class="next"><a href="authentication/index.html">Authentication</a></span>
</nav>
</article>
</div>
</main>
</div>
<footer class="footer flex">
<div id="spring-links flex">
<img id="springlogo" src="../../_/img/spring-logo.svg" alt="Spring">
<p class="smallest antialiased">© <script>var d = new Date();
        document.write(d.getFullYear());</script> <a href="https://www.vmware.com/">VMware</a>, Inc. or its affiliates. <a href="https://www.vmware.com/help/legal.html">Terms of Use</a> • <a href="https://www.vmware.com/help/privacy.html" rel="noopener noreferrer">Privacy</a> • <a href="https://spring.io/trademarks">Trademark Guidelines</a> <span id="thank-you-mobile">• <a href="https://spring.io/thank-you">Thank you</a></span> • <a href="https://www.vmware.com/help/privacy/california-privacy-rights.html">Your California Privacy Rights</a> • <a class="ot-sdk-show-settings">Cookie Settings</a> <span id="teconsent"></span></p>
<p class="smallest antialiased">Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra&trade;, and Apache Geode&trade; are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java&trade;, Java&trade; SE, Java&trade; EE, and OpenJDK&trade; are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.</p>
</div>
<div id="social-icons" class="flex jc-between">
<a href="https://www.youtube.com/user/SpringSourceDev" title="Youtube"><svg id="youtube-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 40 40"><circle class="cls-1" cx="20" cy="20" r="20" /><path class="cls-2" d="M30.91,14.53a2.89,2.89,0,0,0-2-2C27.12,12,20,12,20,12s-7.12,0-8.9.47a2.9,2.9,0,0,0-2,2A30.56,30.56,0,0,0,8.63,20a30.44,30.44,0,0,0,.46,5.47,2.89,2.89,0,0,0,2,2C12.9,28,20,28,20,28s7.12,0,8.9-.47a2.87,2.87,0,0,0,2-2A30.56,30.56,0,0,0,31.37,20,28.88,28.88,0,0,0,30.91,14.53ZM17.73,23.41V16.59L23.65,20Z" /></svg></a>
<a href="https://github.com/spring-projects" title="Github"><svg id="github-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><path class="cls-1" d="M38,0a38,38,0,1,0,38,38A38,38,0,0,0,38,0Z" /></g><path class="cls-2" d="M38,15.59A22.95,22.95,0,0,0,30.71,60.3c1.15.21,1.57-.5,1.57-1.11s0-2,0-3.9c-6.38,1.39-7.73-3.07-7.73-3.07A6.09,6.09,0,0,0,22,48.86c-2.09-1.42.15-1.39.15-1.39a4.81,4.81,0,0,1,3.52,2.36c2,3.5,5.37,2.49,6.67,1.91a4.87,4.87,0,0,1,1.46-3.07c-5.09-.58-10.45-2.55-10.45-11.34a8.84,8.84,0,0,1,2.36-6.15,8.29,8.29,0,0,1,.23-6.07s1.92-.62,6.3,2.35a21.82,21.82,0,0,1,11.49,0c4.38-3,6.3-2.35,6.3-2.35a8.29,8.29,0,0,1,.23,6.07,8.84,8.84,0,0,1,2.36,6.15c0,8.81-5.37,10.75-10.48,11.32a5.46,5.46,0,0,1,1.56,4.25c0,3.07,0,5.54,0,6.29s.42,1.33,1.58,1.1A22.94,22.94,0,0,0,38,15.59Z" /></svg></a>
<a href="https://twitter.com/springcentral" title="Twitter"><svg id="twitter-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><circle class="cls-1" cx="37.97" cy="37.97" r="37.97" /><path id="Twitter-2" data-name="Twitter" class="cls-2" d="M55.2,22.73a15.43,15.43,0,0,1-4.88,1.91,7.56,7.56,0,0,0-5.61-2.49A7.78,7.78,0,0,0,37,30a7.56,7.56,0,0,0,.2,1.79,21.63,21.63,0,0,1-15.84-8.23,8,8,0,0,0,2.37,10.52,7.66,7.66,0,0,1-3.48-1v.09A7.84,7.84,0,0,0,26.45,41a7.54,7.54,0,0,1-2,.28A7.64,7.64,0,0,1,23,41.09a7.71,7.71,0,0,0,7.18,5.47,15.21,15.21,0,0,1-9.55,3.37,15.78,15.78,0,0,1-1.83-.11,21.41,21.41,0,0,0,11.78,3.54c14.13,0,21.86-12,21.86-22.42,0-.34,0-.68,0-1a15.67,15.67,0,0,0,3.83-4.08,14.9,14.9,0,0,1-4.41,1.24A7.8,7.8,0,0,0,55.2,22.73Z" /></svg></a>
</div>
</footer>
<script src="../../_/js/site.js"></script>
<script async src="../../_/js/vendor/highlight.js"></script>
<script async src="../../_/js/vendor/tabs.js"></script>
<script src="../../_/js/vendor/switchtheme.js"></script>
<script src="../../_/js/vendor/docsearch.min.js"></script>

<script>
var search = docsearch({
  appId: '244V8V9FGG',
  apiKey: '82c7ead946afbac3cf98c32446154691',
  indexName: 'security-docs',
  inputSelector: '#search-input',
  autocompleteOptions: { hint: false, keyboardShortcuts: ['s'] },
  algoliaOptions: { hitsPerPage: 10 }
}).autocomplete
search.on('autocomplete:closed', function () { search.autocomplete.setVal() })
</script>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"702d396ccf7897ee","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
